Controllerless Networks

Reply
Occasional Contributor I

Re: IAP 103 MAC authentication RADIUS authentication

Hi Tim,

 

Unfortunately, for the client, just the machine authentication is not enough (MAC Addresses are easily spoofed). It has to have both levels of authentication.

 

So, in conclusion, just with the Virtual Controller of IAPs it is not possible to have these two levels of authentication.

 

That would only be possible having ClearPass and defining these policies in its RADIUS.

 

That's what I will say to the client.

 

Thanks for all the help.

 

Cheers,

Pedro

Guru Elite

Re: IAP 103 MAC authentication RADIUS authentication

Machine authentication does not use a MAC address. It uses the computer's AD account to authenticate to the network.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: IAP 103 MAC authentication RADIUS authentication

Machine authentication means that both the machine account and the user account have to be authenticated against the RADIUS server before the client will get full access.  It should be able to satisfy the security requirement, I believe.

Highlighted
Occasional Contributor I

Re: IAP 103 MAC authentication RADIUS authentication

So, what you are saying is that in my SSID security level I'll skip MAC Authentication and let the RADIUS server do all the work (Machine Authentication). Something like this:

 

RADIUS: Configuring PEAP-MSCHAPv2 - Machine Authentication

 

WPA2-Enterprise with 802.1x authentication can be used to authenticate users or computers in an Active Directory domain. The supplicant (wireless client) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server. The gateway APs (authenticator) role is to send authentication messages between the supplicant and authentication server. This mean the RADIUS server is responsible for authenticating users. APs perform EAPOL exchanges between the supplicant and convert these to RADIUS Access-requests messages which are sent to the RADIUS servers IP address and UDP port specified in Dashboard. Gateway APs need to receive a RADIUS Access-accept message from the RADIUS server in order to grant the supplicant access to the network. For best performance, it is recommended to have the RADIUS server and gateway APs located within the same layer-2 broadcast domain to avoid firewall, routing, or authentication delays. Keep in mind the AP is not responsible for authenticating wireless clients and acts as an intermediary between clients and the RADIUS server. Below are the steps to configure WPA2-Enterprise with 802.1x authentication using PEAP EAP-MSCHAPv2 on a Windows NPS server. PEAP EAP-MSCHAPv2 is a widely supported EAP method among hardware and software manufacturers.


Install an Active Directory based PKI and deploy the CA chain to domain member systems using Group Policy.


Obtain a digital certificate on the NPS server using Active Directory enrollment.


Configure an SSID to use WPA2-Enterprise with 802.1x authentication in Dashboard.


Add APs as RADIUS clients on the NPS server and configure PEAP-MSCHAPv2 policy in NPS.


Deploy PEAP-MSCHAPv2 wireless network settings to domain member computers using Group Policy.


Please follow the KB articles in the order below to accomplish each of the steps presented above.

 

Guru Elite

Re: IAP 103 MAC authentication RADIUS authentication

Yes


Thanks,
Tim

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: IAP 103 MAC authentication RADIUS authentication

Yes, you should fully disale MAC authentication and follow the user guide to enable machine authentication. 

 

if you follow the relevant sections in the user guide, you should find instructions to define three roles for machine authentication:  a machine-only role, a user-only role, and a full-access role.  A client whose machine account is authenticated but not user-authenticated will get the machine-only role.  A client whose user account is authenticated but machine account is not authenticated will get the user-only role.  Only a client that has both types of accounts authenticated will get full access role.  This way you should have very graunular control over security, and only let corporate issued clients get the full role.

Occasional Contributor I

Re: IAP 103 MAC authentication RADIUS authentication

Tim and Yan,

 

That sounds perfect. I'll go ahead and try it.

 

Thanks for all the help.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: